Featured Database Articles

Many of the activities that DBAs do through the Oracle Enterprise Manager 12 Cloud Control GUI interface can also be accomplished via the Command Line Interface (EM CLI). Last month, we explored how to install and configure the EM CLI. This article will explore the commands used for managing credentials for Cloud Control.

A Review of OEM 12c Cloud Control Credentials

Credentials are used to access most of the targets managed in EM12c, in particular database and host targets. In many cases the credentials are a combination of username and password and are encrypted and stored in Enterprise Manager.

There are five categories of credentials in 12c Cloud Control: Named Credentials, Job Credentials, Monitoring Credentials, Collection Credentials and Preferred Credentials.

Named Credentials

Named credentials are stored as their own independent objects in EM. Administrators can define and store credentials with an object name. EM Administrators are granted access to a named credential to be used to do activities against a target. What is extremely powerful about named credentials is the fact that the user who is accessing a target or running a job using a named credential in EM12c, never actually sees the sensitive information (such as the password) associated with the named credential.

In EM12c Cloud Control, the job system uses the credential subsystem to get the appropriate information to submit a job to a target. When submitting a job, the administrator can configure the job to use preferred credentials, named credentials or new credentials set up for the job.

Monitoring Credentials

The monitoring credentials are used by Management Agents on certain targets. The most common example would be database targets. In order to monitor a database there has to be a connection to that database that includes a username, password and generally a role.

Monitoring credentials stored in EM12c Cloud Control can be also be used by other applications to connect to the target from the OMS.

Collection Credentials

These are the credentials associated with metric extensions and their precursors, user defined metrics. For many metrics to be collected, analyzed and tested, a connection to the target via credentials is required.

Preferred Credentials

Preferred credentials simplify access to the targets by storing the login credentials for a target in EM. Administrators can use the preferred credentials to connect to a target without being prompted to log into the target each time they try to access that object. Preferred credentials are set on a per user basis.

Using EM CLI to Manage Credentials

Clearing Credentials

The following commands clear credential information using the EM CLI.

clear_credential

This command clears preferred or monitoring credentials for a specified user.

clear_default_pref_credential

This command clears the credential set as the default preferred credential for that user for that target. The actual named credential itself is not deleted, only the use of that named credential as the default preferred credential.

clear_preferred_credential

This command clears the credential set as the named preferred credential for that user for that target. The actual named credential itself is not deleted, only the use of that named credential as the preferred credential.

create_named_credential

This command is used to create a named credential. The tags can be specified in the command, or placed into a properties file. We can also use the input_file option for specifying passwords and parameter values.

get_named_credential

Merging Credentials

merge_credentials

This command is used to merge credentials into one – it is useful after running the get_duplicate_credential command and discovering that we have more than one credential essentially doing the same thing.

General Update Commands for Credentials

update_host_password

This command updates a changed host password in the credential system – for monitoring credentials the password change is propagated to the EM Agents. You will be prompted to enter the old password, the new password and retype the new password.

This command updates a changed target password in the credential system – for monitoring credentials the password change is propagated to the EM Agents. You will be prompted to enter the old password, the new password and retype the new password.